github/distribution
1
0
Fork 0
mirror of https://github.com/distribution/distribution.git synced 2025-06-25 15:03:25 +00:00
Code Issues Projects Releases Wiki Activity
5,648 Commits 24 Branches 6 Tags 145 MiB
fea3638384
Commit Graph

5648 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
João Pereira
27d490c4ab
build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1 (#4579) 2025-02-25 08:16:21 +00:00
João Pereira
205d098fdc
build(deps): bump github.com/go-jose/go-jose/v4 from 4.0.2 to 4.0.5 in the go_modules group (#4582) 2025-02-25 08:15:26 +00:00
dependabot[bot]
fc3dd55d3d
build(deps): bump github.com/go-jose/go-jose/v4 in the go_modules group 
Bumps the go_modules group with 1 update: [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose).


Updates `github.com/go-jose/go-jose/v4` from 4.0.2 to 4.0.5
- [Release notes](https://github.com/go-jose/go-jose/releases)
- [Changelog](https://github.com/go-jose/go-jose/blob/main/CHANGELOG.md)
- [Commits](https://github.com/go-jose/go-jose/compare/v4.0.2...v4.0.5)

---
updated-dependencies:
- dependency-name: github.com/go-jose/go-jose/v4
  dependency-type: direct:production
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-02-24 22:51:52 +00:00
Milos Gajdos
9e96aec357
Fix broken signing algorithm configuration for token authentication (#4578) 2025-02-24 07:41:25 -08:00
evanebb
64f780f6c5
Explicitly return zero value instead of partially filled struct 
Signed-off-by: evanebb <git@evanus.nl>
 2025-02-24 16:04:41 +01:00
dependabot[bot]
da2bbf0441
build(deps): bump actions/upload-artifact from 4.6.0 to 4.6.1 
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.0 to 4.6.1.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v4.6.0...v4.6.1)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-02-24 01:21:18 +00:00
dependabot[bot]
484fa0432a
build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1 
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.4.0 to 2.4.1.
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md)
- [Commits](62b2cac7ed...f49aabe0b5)

---
updated-dependencies:
- dependency-name: ossf/scorecard-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-02-24 01:21:15 +00:00
evanebb
0762a1bb57
Fix error message for unsupported signing algorithm by not overriding var 
Signed-off-by: evanebb <git@evanus.nl>
 2025-02-23 22:17:17 +01:00
evanebb
70d99154ac
Fix signing algorithm configuration for token authentication 
Signed-off-by: evanebb <git@evanus.nl>
 2025-02-23 22:16:11 +01:00
Milos Gajdos
63d3892315
registry/storage: add option to quiet GC output. (#4560) 2025-02-13 07:37:00 -08:00
Milos Gajdos
51bdcb7bac
Prep for v3-rc.3 release (#4568) 2025-02-11 07:49:20 -08:00
Milos Gajdos
198db9cb06
Prep for v3-rc.3 release 
* Created a changelog file
* Updated version

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
 2025-02-11 06:56:02 -08:00
Milos Gajdos
5ea9aa028d
Merge commit from fork 
Fix registry token authentication bug
 2025-02-10 19:50:35 -08:00
Milos Gajdos
939a525dd5
Bump Go version (#4566) 2025-02-08 07:20:26 -08:00
Milos Gajdos
7098b3f42c
Bump Go version 
Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
 2025-02-07 19:34:01 -08:00
Milos Gajdos
6ed60b0f48
Apply suggestions from code review 
Co-authored-by: Sebastiaan van Stijn <thaJeztah@users.noreply.github.com>
Signed-off-by: Milos Gajdos <milosgajdos83@gmail.com>
 2025-02-06 17:43:28 +00:00
Milos Gajdos
53c382641c
Remove named returns and fix linting woes 
Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
 2025-02-05 21:26:23 -08:00
Rafael Fonseca
2a491b35dd docs/garbage-collection: document --delete-untagged and --quiet options 
Signed-off-by: Rafael Fonseca <r4f4rfs@gmail.com>
 2025-02-03 17:36:20 +01:00
Rafael Fonseca
a032989bf9 registry/storage: add option to quiet GC output. 
Consumers might not want GC output to be displayed (e.g, if you have
your own logging system).

Signed-off-by: Rafael Fonseca <r4f4rfs@gmail.com>
 2025-02-02 10:18:45 +01:00
Milos Gajdos
f4a500caf6
Fix registry token authentication bug 
When a JWT contains a JWK header without a certificate chain,
the original code only checked if the KeyID (kid) matches one of the trusted keys,
but doesn't verify that the actual key material matches.

As a result, if an attacker guesses the kid, they can inject an
untrusted key which would then be used to grant access to protected
data.

This fixes the issue such as only the trusted key is verified.

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
 2025-02-01 15:30:18 -08:00
Milos Gajdos
7271d882c0
ci: fix bake build (#4555) 2025-01-16 20:19:08 +00:00
CrazyMax
4c5e394561
ci: fix bake build 
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
 2025-01-16 18:54:00 +01:00
Milos Gajdos
3270367d89
(security): Bump golang.org/x/net module (#4542) 2025-01-10 10:51:24 +00:00
Milos Gajdos
17550ead96
build(deps): bump actions/upload-artifact from 4.5.0 to 4.6.0 (#4553) 2025-01-10 10:23:20 +00:00
Milos Gajdos
9dff0cbf9f
ci: update bake-action to v6 (#4554) 2025-01-10 10:06:22 +00:00
CrazyMax
808f0b8961
ci: update bake-action to v6 
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
 2025-01-10 10:31:13 +01:00
dependabot[bot]
825eeb039d
build(deps): bump actions/upload-artifact from 4.5.0 to 4.6.0 
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.5.0 to 4.6.0.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v4.5.0...v4.6.0)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-01-10 01:54:12 +00:00
Wang Yan
43291261fa
build(deps): bump actions/upload-artifact from 4.3.6 to 4.5.0 (#4538) 2024-12-23 12:43:19 +08:00
Milos Gajdos
f1e33060cb
Fix conformance upload issue: 
We're trying to upload conformance test results from a hidden directory:

Version 4.4.0 introduced a breaking change:
https://github.com/actions/upload-artifact/releases/tag/v4.4.0

We can either set include-hidden-files: true or
ename the directory to e.g., out/ without a leading dot which is what
we do in this PR

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
 2024-12-20 06:32:18 +00:00
Milos Gajdos
38fd91a49e
(security): Bump golang.org/x/net module 
Fixes: https://nvd.nist.gov/vuln/detail/CVE-2024-45338

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
 2024-12-20 06:21:59 +00:00
Milos Gajdos
4890d9e036
Prepare for rc2 release (#4539) 2024-12-18 14:54:27 +00:00
Milos Gajdos
c4a604465f
Prepare for rc2 release 
Seems like we havent done AUTHORS update in a while: this commit
rectififes that.

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
 2024-12-18 08:17:36 +00:00
dependabot[bot]
d85819c08e
build(deps): bump actions/upload-artifact from 4.3.6 to 4.5.0 
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.3.6 to 4.5.0.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v4.3.6...v4.5.0)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-12-18 01:26:29 +00:00
Milos Gajdos
1c62898144
feat(configuration): support mtls auth mod (#4537) 2024-12-17 14:00:36 +00:00
vitshev
41a906f0c6
fix(configuration): replace string literals with constants in tests 
Signed-off-by: vitshev <vitshev@tracto.ai>
 2024-12-16 22:34:26 +01:00
Vitshev
96c9a85b62
fix(configuration): replace string literals with constants in error 
Co-authored-by: Milos Gajdos <milosgajdos83@gmail.com>
Signed-off-by: Vitshev <vitshev@tracto.ai>
 2024-12-16 22:30:37 +01:00
vitshev
328f802b8e
fix(configuration): replace string literals with constants 
Signed-off-by: vitshev <vitshev@tracto.ai>
 2024-12-16 20:43:30 +01:00
vitshev
916bdeae94
feat(configuration): support mtls auth mod 
Signed-off-by: vitshev <vitshev@tracto.ai>
 2024-12-16 20:43:20 +01:00
Kyle Squizzato
258144d70f
Update squizzi maintainer email (#4530) 2024-12-13 15:49:57 -08:00
Wang Yan
3241bc213c
chore: Bump alpine image version (#4532) 2024-12-13 19:20:48 +08:00
Milos Gajdos
96a3daafe9
Move a direct dependency to direct deps required modules 
Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
 2024-12-12 11:34:21 +00:00
Milos Gajdos
fb3ba302d2
chore: Bump alpine and Go versions 
3.20 had a minor security vulnerability. Let's bump it.

Related:
* https://github.com/distribution/distribution-library-image/issues/171
* https://github.com/distribution/distribution/pull/4527

Bump Go version
* CI
* go.mod

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
 2024-12-12 11:29:11 +00:00
Milos Gajdos
b2ae9e398c
update xx to v1.6.1 for compatibility with alpine 3.21 and file 5.46+ (#4527) 2024-12-12 10:55:20 +00:00
Milos Gajdos
61ee69943b
build(deps): bump golang.org/x/crypto from 0.28.0 to 0.31.0 (#4531) 2024-12-12 08:54:46 +00:00
dependabot[bot]
6eba54be60
build(deps): bump golang.org/x/crypto from 0.28.0 to 0.31.0 
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.28.0 to 0.31.0.
- [Commits](https://github.com/golang/crypto/compare/v0.28.0...v0.31.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-12-12 08:34:18 +00:00
Kyle Squizzato
183919cee5
Update squizzi maintainer email 
Signed-off-by: Kyle Squizzato <kyle@replicated.com>
 2024-12-11 12:08:38 -08:00
Sebastiaan van Stijn
179e902fe9
update xx to v1.6.1 for compatibility with alpine 3.21 and file 5.46+ 
This fixes compatibility with alpine 3.21 and file 5.46+

- Fix additional possible `xx-cc`/`xx-cargo` compatibility issue with Alpine 3.21
- Support for Alpine 3.21
- Fix `xx-verify` with `file` 5.46+
- Fix possible error taking lock in `xx-apk` in latest Alpine without `coreutils`

full diff: https://github.com/tonistiigi/xx/compare/v1.2.1...v1.6.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2024-12-10 10:40:30 +01:00
Milos Gajdos
f2658eeb0b
docs: Explain how to configure a list through env variables (#4522) 2024-12-03 17:57:32 +00:00
Victor Barbu
1d104a9399
[docs] Explain how to configure a list through env variables 
Signed-off-by: Victor Barbu <git.zqk3n@vicb.cc>
 2024-12-03 19:08:23 +02:00
Milos Gajdos
e3007cd2bc
Upgrade go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp (#4507) 2024-11-20 11:23:40 +00:00